An Android security researcher has found a way to bypass the factory reset protection (FRP) in the latest Android 6.0.1 Marshmallow build complete with the latest May Android Security Update.
While it’s a complicated process, the method detailed by RootJunky apparently manages to bypass the factory reset protection system on the Huawei-made Nexus 6P. The researcher has detailed the bypass, meant specifically for Nexus devices, in a YouTube video seen later in the article.
RootJunky explains that when Nexus users (or thieves) have reset their smartphones, they can skip the FRP check by disconnecting the Wi-Fi they’re currently connected to. One they have done so, they can then create a Google account using a special apk file and the preloaded Chrome browser. Once they have signed into the new account, and the phone syncs to the account, they can then reset the smartphone again – but this time, they know the password to the account the smartphone, and will have full access to the smartphone.
To recall, Google first introduced Factory Reset Protection, also known as Device Protection, with Android 5.1 Lollipop. The system is meant to ensure that if an Android device has been stolen, the thief cannot gain full access to the device even after factory resetting it.
The researcher says he submitted this bypass, which he says works on Nexus devices with older security patches as well, to Google along with other privilege escalation methods as security risks. Google however did not acknowledge the bypass to be a real security risk. Of course, while the method is complex, it is not so complex that determined smartphone thieves cannot use it to reset a large number of stolen devices.